You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When using a cloudfront to front a static s3 hosted website as an origin, cloudfront may only use http-only
HTTP Only – CloudFront uses only HTTP to access the origin. This is the default setting when the origin is an Amazon S3 static website hosting endpoint and cannot be changed.
I don't think the rule should ignore this. While AWS guarantees the security of the connection between CloudFront and S3, this does not apply to the security of the connection between the viewer and CloudFront.
You can use https with S3 buckets if you use a custom certificate/DNS. That being said that's still not compliant with the rule because while you can use "redirect http to https" you can't use the "https only".
dontirun
added
other
This issue doesn't fit into the other categories
and removed
bug
Something isn't working
needs-triage
This issue or PR still needs to be triaged.
labels
May 14, 2024
What is the problem?
When using a cloudfront to front a static s3 hosted website as an origin, cloudfront may only use
http-only
This conflicts with the
CloudFrontDistributionNoOutdatedSSL
rule which marks it as non compliantReproduction Steps
When using
isWebsite = true
,S3Origin
uses aHttpOrigin
(akaCustomOriginConfig
) which triggers the rule validationWhat did you expect to happen?
It should exclude the S3 Origin as the security of the connections is ensured by AWS.
What actually happened?
cdk-nag version
2.28.114
Language
Typescript
Other information
No response
The text was updated successfully, but these errors were encountered: